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The MAILING DATE of this communication appears on the cover sheet with the correspondence address - 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1.136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 1 33). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1.704(b). 

Status 

1 )^ Responsive to communication(s) filed on 15 August 2005 . 
2a)E3 This action is FINAL. 2b)D This action is non-final. 

3) Q Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) ^3 Claim(s) 1-36 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) E3 Claim(s) 1-36 is/are rejected. 

7) D Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) D The specification is objected to by the Examiner. 

10) D The drawing(s) filed on is/are: a)D accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1 .85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1 .121(d). 

1 1) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 
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20 Certified copies of the priority documents have been received in Application No. . 
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* See the attached detailed Office action for a list of the certified copies not received. 
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DETAILED ACTION 

This action is in response to the Applicant's Remarks and Amendments filed 
August 15, 2005. 

Claims 1-36 are pending and herein considered. 



Response to Arguments 

Applicant's arguments filed August 15, 2005 have been fully considered but they 
are not persuasive. 

In response to the Applicant's assertion that claims 1-10 are directed to statutory 

subject matter, the examiner would like to point out lines 10-24 on page 2 of the 

previous office action, specifically: 

"whether the claim is directed merely to a method that is not tied to a 
technological art, environment, or machine which would result in a practical 
application producing a concrete, useful, and tangible result to form the 
basis of statutory subject matter under 35 U.S.C. 101" 

The Applicant's claims 1-10 fail to produce a tangible result even after the 
Applicant's amendments to those claims. 

In response to the Applicant's arguments concerning Nerurkar's failure to teach a 
"computer-implemented method", the Examiner would like to first point out that the 
author is an associate at the Software Concept Laboratory at Infosys Technologies 
Limited, which is in and of itself, sufficient to suggest that the concept disclosed in the 
paper is in fact to be used in software, which is "computer-implemented". In addition, 
the title of the magazine the article appeared in is "Dr.Dobbs' Software Tools for the 
Professional Programmer", once again, suggesting that the method disclosed would be 
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programmed into software by a professional programmer. Thirdly, the Examiner would 
like to point to the first paragraph of Nerurkar's article which states the purpose of the 
article - "the need to include security as one of the concerns in the functional analysis 
and design of the software itself. Such a phrase suggests that the author's intentions 
were to include the method disclosed within software. 

In order to better understand the extent of the Applicant's computer 
implementation, the Examiner referred back to the Applicant's Specification, specifically 
the second and third full paragraphs on page 10 wherein the Applicant describes how 
his 'application developer' "drafts a model to select and interconnect the model 
components" and then "selects those threats significant to each model component" and 
"after identifying the potential security threats decides whether to counter the identified 
threats". From these paragraphs, it is clear to the Examiner that the Applicant's 
"computer-implemented method" is not entirely computer implemented, and in fact relies 
upon an application developer. The Examiner would like to mention once again 
Nerurkar's job at a software lab, where one could properly refer to her as an application 
developer. 

In response to the Applicant's arguments regarding claim 2 and Nerurkar's failure 
to disclose wherein "the model components comprise a module, a port, a store, or a 
wire", the Examiner respectfully disagrees and draws the Applicant's attention to Figure 
2 on page 54. Within Nerurkar's "Partial Onion Peel Module", Nerurkar interconnects 
her series of modules (object sets) and ports (i.e. File transfers, TCP/IP, FTP) with a 
series of wires (lines) defining a communication route, and depicted by lines. It is clear 
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from this diagram, that Nerurkar's Partial Onion Peel Module utilizes the ports, modules, 
wires, and modules taught by the Applicant. 

In response to the Applicant's arguments regarding claim 3 and Nerurkar's failure 
to disclose wherein the "potential security threats comprise at least one subset of 
authentication, authorization, auditing, privacy, integrity, availability, and non- 
repudiation" the Examiner would like to respectfully disagree. The Examiner would like 
to draw the Applicant's attention to the phrase "at least one subset of, which would 
suggest that a disclosure of any subset of authentication, authorization, auditing, 
privacy, integrity, availability, and non-repudiation would satisfy the limitation of claim 3. 
The Examiner would now like to draw the Applicant's attention to page 56 of Nerurkar, 
specifically column 1 paragraph 3, wherein the potential security threats comprise at 
least one subset of authentication (IA), authorization (AZ), auditing (00), privacy, 
integrity (00), and availability. 

In response to the Applicant's arguments regarding claim 5 and Nerurkar's failure 
to disclose wherein the "selecting a particular component of the model components" and 
"responsive to selecting the particular component, displaying each other component of 
the model components that comprise at least a subset of similar potential security 
threats as a particular component" the Examiner respectfully disagrees. The Applicant 
cites paragraph 3 on page 52 wherein Nerurkar describes how the "onion is now 
partitioned into peels based on the similarity in the nature and criticality of the security 
concerns of the components". The Examiner would like to encourage the Applicant to 
read on further to where Nerurkar teaches how these peels are created to be used later 
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in the analysis portion, so that one might focus on a particular component and others 
with similar or related security concerns (paragraph 3). Nerurkar also goes on to 
illustrate wherein her 'web interface of the application', one of her particular 
components, is placed in an internet user interface peel, where the concerns are those 
of controlling access, restricting sensitive data modification, and so on. All components 
with those same security concerns are then placed in the peel alongside the web 
interface of the application component, displaying the other components with similar 
potential security threats as that component. 

In response to the Applicant's arguments regarding claim 6 and Nerurkar's failure 
to disclose "selecting a particular component of the model components" and "responsive 
to selecting the particular component, displaying each other component of the model 
component that comprises a particular security threat similar to a security threat already 
addressed with respect to the particular component" the Examiner respectfully 
disagrees. Once again, the Examiner would like to encourage the Applicant to read 
page 52 paragraph 2 through page 54 paragraph 4 wherein Nerurkar teaches how 
these peels are created to be used later in the analysis portion, so that one might focus 
on a particular component and others with similar or related security concerns (page 52 
par 3). Nerurkar also goes on to illustrate wherein her 'web interface of the application', 
one of her particular components, is placed in an internet user interface peel, where the 
concerns are those of controlling access, restricting sensitive data modification, and so 
on. All components with those same security concerns are then placed in the peel 
alongside the web interface of the application component, displaying the other 
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components with similar potential security threats as that component (page 52 par 4). 
Within the peels, the objects are selected with similar security concerns, such as her 
example concerning authentication servers and their associated databases and key 
management services, all concerned with authentication (page 54 par 4). Such a model 
of analysis is also recursively applied to ensure security and deal with objects added, 
deleted, and changed (page 54 par 4). 

In response to Applicant's arguments concerning independent claims 11 and 21, 
paralleling those for claim 1, the Examiner respectfully disagrees for the same reasons 
as disclosed above in regards to claim 1. 

In response to Applicant's arguments concerning dependent claims 12-20, and 
22-30, the Examiner respectfully disagrees for the same reasons as disclosed above in 
regards to claims 2-10 above. 

In response to Applicant's arguments concerning independent claim 31, 
paralleling those for claim 1, the Examiner respectfully disagrees for the same reasons 
as disclosed above in regards to claim 1. In response to Applicant's use of the means- 
plus-function form paragraph, the Examiner would like to point out that that Applicant 
fails to explain what structure, material, or act Nerurkar fails to teach, and it is the 
Examiner's contention that Nerurkar fully discloses all the limitations of claim 31 , for the 
same reasons as Nerurkar fully discloses all the limitations of claim 1 . 

In response to Applicant's arguments concerning claims 32-33, the Examiner 
respectfully disagrees for the same reasons as disclosed above in regards to claims 2-3 
above. 
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In view of the arguments previous, Examiner respectfully disagrees with the 
Applicant's argument that Nerurkar fails to disclose claim 1 in its entirety, and maintains 
the 35 U.S.C. 102(a) rejections corresponding to claims 1-10 as provided in the 
previous office action. 

For substantially the same reasons as given with respect to claims 1-10, the 
Examiner maintains the 35 U.S.C. 102(a) rejections corresponding to claims 11-20, 21- 
30, and 31-36 as provided in the previous office action. 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of time 
policy as set forth in 37 CFR 1 .1 36(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Tamara Teslovich whose telephone number is (571) 

272- 4241. The examiner can normally be reached on Mon-Fri 8-4:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Emmanuel Moise can be reached on (571) 272-3865. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 

273- 8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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